With the forced distribution of workers as a result of the COVID-19 pandemic, as well as the natural evolution of the "information age", data and data protection have acquired a significant amount of attention across all levels of society.
Businesses, regulators, consumers, employees, investors, and even lawyers are all looking at data protection as a critical path to success. To this end, there are a number of issues which will likely come to the forefront in 2021 and beyond
State Privacy Laws
While California was the first state to pass a (reasonably) comprehensive privacy law (as opposed to a cybersecurity law) it was not the only state to try. Since 2018, multiple states have tried and failed to pass California Consumer Privacy Act (CCPA)-style statutes. However, we are now seeing not just momentum, but actual progress in these state initiatives. Virginia passed its version of the CCPA (the Consumer Data Protection Act, or CDPA) on March 2, 2021. Washington State looks to be poised to pass their version of the CCPA. Additionally, Florida and New York have strong momentum in their legislatures to pass CCPA-style laws.
The big factors in these state initiatives are: 1) who gets to enforce the law, 2) scope of application, and 3) preemption by other laws. So far, we haven't seen a law permitting a private right of action pass out of a state house. However, proposals permitting such private rights of action have been included in the drafting process for all of the state bills. Should a private right of action appear, we can expect significant litigation under these statutes as the practices that these laws regulate are central to most of how commerce happens.
The scope of who the law applies to, and what constitutes personal data are also evolving. The CCPA originally applied to everyone, and any data about everyone. The trend we are seeing now is the narrowing of the scope of individuals the law applies to (generally just “consumers”) but the expansion of the scope of data covered. Biometric data, event data recorder data (vehicle “black box” data), wellness data (non-health care data), “wearable” data, and even “Internet of Things” device data is now all subject to the requirements and restrictions of the expanding universe of state privacy laws.
One of the challenges with these new laws is that they are designed to limit the scope and uses of data. However, there are a number of existing state and federal laws which implicate the data handing practices addressed in the privacy laws. While each of the state privacy laws attempt to carve-out exemptions for existing regulations, these exemptions (e.g. HIPAA, Gramm-Leach-Bliley, Fair Credit Reporting Act (FCRA), etc.) are not always consistently drafted. The exemptions can even be drafted in different ways in the same act. For example, the CCPA exempts “any activity” governed by the FCRA, but only exempts “entities” governed by HIPAA. This type of drafting at a minimum creates confusion as to the scope of the exemptions. It is quite possible that such confusion will also create litigation when the enforcement actions start to pick up steam.
Privacy Is Everywhere
As the world becomes a smaller and smaller place, with the ever increasing expansion of interconnectivity across geopolitical boundaries, data protection becomes a much more significant issue. Whether it is workforce management, M&A activity, or entering into new markets, all “first” and “second world” countries have data protection laws. Many of these are modeled off of the EU's General Data Protection Regulation. As such, while the US is currently struggling to birth its own approach to data protection, almost all of our international trading partners have strong data protection laws. This is not limited just to the European continent. It includes places like Mexico, Argentina, Colombia, Israel, Japan, and Egypt. As a result, businesses which deal in data (and that is all of them – see third point below) are now having to take data protection regulation into consideration across all of their operations. Otherwise, they run the risk of significant fines and costly litigation. Even in those jurisdictions where litigation isn't as common as in the US, the functional regulators are seeing data protection fines as a means to self-fund their offices. There is a very real financial incentive for enforcement actions under the various data protection laws.
Data Is a Capital Asset
With the increasing number of privacy laws which are being proposed and passed at the state level, as well as the implication of international data protection laws in many modern businesses, there is a tension between the ability of a business to leverage and monetize data as an asset. This is becoming more important as well, as most businesses recognize that the traditional way of operating is limited in terms of growth. All businesses are becoming “data businesses”. Retail is looking at how on-line marketing, retargeting, and related data-heavy practices can improve their profitability. In fact, with the pandemic, retailers are facing a reality where on-line property is more valuable than brick-and-mortar properties. Retail isn't the only market to start to understand how “virtualization” is the wave of the future. Health care (telehealth), auto dealerships (Vroom and Carvana), banking, manufacturing, and utilities are all industries which are looking to improve their profitability via the use of data. As is the case with any valuable capital asset, disputes arise, regulation is developed, and “reasonable protections” are necessary to ensure that the appropriate parties have their rights protected.
Unlike traditional capital assets, data as a capital asset will always have at least one additional stakeholder in the equation–the individual data subject. As a consequence, businesses need to develop not just an understanding of how to monetize data, but also how to benefit the data subjects who make up a critical part of the ecosystem. This includes implementing “reasonable” information security – an obligation which is being included in all the various privacy laws at the state and federal level. Additionally, we expect to see management and owners of businesses start to view information security the same way they do financial reporting and other asset management and control systems. This will likely lead to increased scrutiny by lawyers for the various stakeholders to ensure that the asset isn't being abused. As part of this scrutiny, we predict that new and novel legal theories will start to show up in litigation, contract negotiation, and even insurance policies which address the needs for businesses (and their vendors) to consider information security and privacy in the same manner that quality is addressed. Theories like breach of fiduciary duties, waste, negligence, fraud, unfair or deceptive trade practices, may be used to impose liability on data supply chain participants who don't take proper precautions in ensuring a proper legal basis for processing, or in securing data. All of the existing legal risks associated with asset management will start to get applied to data protection. It won't be just about “privacy” any more. It will be about “responsible information management” or “data governance”.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.